Manage IAM policies using Python boto3 and AWS CLI

IAM Policies is a way to manage permissions for Groups, Users and Roles in AWS. IAM Policy is a list of permitted actions for particular resources. In this tutorial, we are going to learn how to manage IAM Policies using Python and AWS CLI. So, let’s get started.

List Managed IAM Policies

When we create an AWS account, it comes with a set of predefined IAM polices. These are called managed policies (i.e. policies managed by AWS). The first thing we will do is list all polices in the AWS account.

This function will return all of the AWS managed policies. There are a few important parameters to know while listing policies.

Score – It has three possible values ‘AWS’, ‘Local’, and ‘All’. We can either list all AWS managed policies using ‘AWS’ or list all policies created by users using ‘Local’. And if we want to list all of the policies created by users as well as AWS then we can use ‘All’

OnlyAttached – (True|Fasle) By default it is false and returns all policies. If it is True then only policies attached to Group, User or Role are returned.

MaxItems – To limit the number of policies returned in one call we can use this parameter.

Create IAM policy

Now that we have listed all managed policies in AWS, Let us create our first user-managed or local policy. For creating policy, we need to give Policy Document which is nothing but a list of permissions for AWS resources represented in JSON format. If you are not familiar with how to create a policy document then you can visit the AWS Policy Generator to get the policy document. You can refer below the policy document which grants read and write access to only one S3 bucket. I have created an S3 bucket with the name my-test-bucket-123df and we will only grant read and write access to that bucket and no other S3 bucket using the below policy.

Create a New version of IAM Policy

There will be certain times that we need to update managed or local policy. Instead of updating policy, we can create different versions and use them. We also have the option to roll back to the previous version if have to.

There are few things to remember before we create a new version for policy. We can only have at max 5 versions of each policy. While creating policy version we can set that up as default version using SetAsDefault parameter. Now we know this, let us see, how to create a policy version

Delete Policy

Now we are going to write code for deleting IAM Policy using Python. Before we can delete policy, we need to make sure we have detached that policy from all Groups, Users, and Roles. Not only that, we have to delete all versions of that policy except the default version. So lets us start by deleting the policy version.

Now let us write a script to delete IAM Policy using AWS CLI. Now I am not writing code with for loop but you get the idea. If you want that script with for loop to delete all versions of policy or to detach policy form Groups and users please let me know in comments.

Conclusion

In this tutorial, we have learned how to manage IAM policies using python and AWS CLI. This is very useful when you have to write automated scripts or your applications. I hope you found this useful. See you in the next article.

Mahesh Mogal

I am passionate about Cloud, Data Analytics, Machine Learning, and Artificial Intelligence. I like to learn and try out new things. I have started blogging about my experience while learning these exciting technologies.